Google and Privacy: an EPIC Fail…

This isn’t a post specific to Google’s struggles with privacy, specifically, but rather the Electronic Privacy Information Center’s (EPIC) tactics in a complaint/petition filed with the FTC in which EPIC claims that the privacy and security risks associated with Google’s “Cloud Computing Services” are inadequate, injurious to consumers, and that Google has engaged in “unfair and/or deceptive trade policies.”

EPIC is petitioning the FTC to “..enjoin Google from offering such services until safeguards are verifiable established” as well as compel them to “…contribute $5,000,000 to a public fund that will help support, research concerning privacy enhancing technologies.”

In reading the petition which you can find here, you will notice that parallels are drawn and overtly called out that liken Google’s recent issues to that of TJX and ChoicePoint. The report is a rambling mess of hyperbolic references and footnotes which appears is meant to froth the FTC into action, especially by suggesting the overt comparison to the breaches of confidential information from the likes of the aforementioned companies.

EPIC suggests that Google’s indadequate security is both an unfair business practice and a deceptive trade practice and while these two claims make up the meat of the complaint, they represent the smallest amount of text in the report with the most amount of emotive melodrama: “…consumer’s justified privacy expectations were dashed…” “…the Google Docs Data Breach exposed consumers’ personal information…” I can haz evidence of these claims, please?

While I’m not happy with some of Google’s practices as they relate to privacy, nor am I pleased with hiccups they’ve had with services like GMail and the most recent “privacy pollution” issue surrounding Google Docs, here’s an interesting factoid that EPIC seems to have missed:

Google Apps like those mentioned are FREE. We consumers are not engaging in “Trade” when we don’t pay for said services. Further, we as consumers must accept the risk associated with said offerings when we agree to the terms of service. Right, wrong, or indifferent, you get what you pay for and should expect NO privacy despite Google’s best efforts to provide it (or not.)

I could tolerate this pandering to the FTC if it were not for what amounts to the jumping the shark on the part of EPIC by plastering Cloud Computing as the root of all evil (with Google as the ringmaster) and the blatant publicity stunt and fundraising attempt by demanding that the FTC “compel” Google to bleed out $5,000,000 to a fund that would likely feed more of this sort of drivel.

If we want privacy advancements with Google or any Cloud Computing service provider, this isn’t the way to do it.

As my good friend David Mortman said “EPIC apparently thinks its all about publicity. They are turning into the peta of privacy.”

I agree. What’s next? Will we rename personally identifiable information to “information kittens?”

/Hoff

P.S. Again, I am not trying to downplay any concerns with privacy in Cloud Computing because EPIC’s report does do a reasonable job of highlighting issues. My friend Zach Lanier (@quine) did a great job summarizing his reaction to the post here:

It’s almost as though EPIC need to remind everyone that they still exist

and haven’t become entirely decrepit and overshadowed by the EFF. The

document is well assembled, citing examples that most users *don’t*

consider when using Google services (or just about any *aaS, for that

matter). Incidentally, the complaint references a recently published

report from the World Privacy Forum on privacy risks in Cloud

Computing[1]. Both documents raise a few similar points.

For example, how many of us actually read, end-to-end, the TOS and

privacy policy of the Provider? How many of us validate claims like

“your data are safe from unauthorized access when you store it on our

Cumulonimbus Mega Awesome Cloud Storage Platform”?

I, for one, laud EPIC’s past efforts and the heart whence this complaint

Related

The part EPIC's letter that I do agree with is sections 21 through 23 where EPIC points out the apparent contradiction of Google claiming their service is "secure" and you suggesting users can safely put their private data on-line and the EULA that indemnifies Google from any loss.

Yes, users have to choose to put their personal data into Google's apps, but Google is saying that it is safe to do so. They are building trust.

Remember, Google Docs is just one service they are offering. What about Google Health? It is hard to get people to just put their medical records into an on-line service. Look at the health policy http://www.google.com/intl/en-US/health/privacy.h… Near the top, Google says it "will not sell, rent, or share your information (identified or de-identified) without your explicit consent" and then goes on to say "Google will use aggregate data to publish trend statistics and associations."

Hrm, aggregation looks like using my data in a de-identifiable way to me.

The problem, Chris, Google is contradictory in it's statements. "Trust us, but we won't guarantee that trust." "We won't share your information with anyone, but really *wink* *wink*, we will."

Clearly Google is setting up a expectation of privacy and then pulling it down later *if* you go look at the privacy policies.

However contradictory as some of those statements are, if you agree to the ToS wherein the aggregation of data is described as something they will do, then it's not sharing it without your permission because to use the service, you just gave it 😉

Sneaky? Yes.

I certainly have looked at their privacy policies. I accepted the risk therein, also. People don't get to abdicate common sense and personal responsibility and then blame Google when they agreed to the ToS without reading it 😉

You get what you agreed to (and paid for.)

Again, I'm not saying I advocate it, I'm just playing devil's, um, advocate in pointing out the other side (or at least trying to.)